Total
10227 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-38311 | 1 Apache | 1 Traffic Server | 2025-04-29 | N/A | 6.3 MEDIUM |
| Improper Input Validation vulnerability in Apache Traffic Server. This issue affects Apache Traffic Server: from 8.0.0 through 8.1.11, from 9.0.0 through 9.2.8, from 10.0.0 through 10.0.3. Users are recommended to upgrade to version 9.2.9 or 10.0.4, which fixes the issue. | |||||
| CVE-2022-45470 | 1 Apache | 1 Hama | 2025-04-29 | N/A | 7.5 HIGH |
| missing input validation in Apache Hama may cause information disclosure through path traversal and XSS. Since Apache Hama is EOL, we do not expect these issues to be fixed. | |||||
| CVE-2025-31477 | 1 Tauri | 1 Plugin-shell | 2025-04-29 | N/A | 9.8 CRITICAL |
| The Tauri shell plugin allows access to the system shell. Prior to 2.2.1, the Tauri shell plugin exposes functionality to execute code and open programs on the system. The open endpoint of this plugin is designed to allow open functionality with the system opener (e.g. xdg-open on Linux). This was meant to be restricted to a reasonable number of protocols like https or mailto by default. This default restriction was not functional due to improper validation of the allowed protocols, allowing for potentially dangerous protocols like file://, smb://, or nfs:// and others to be opened by the system registered protocol handler. By passing untrusted user input to the open endpoint these potentially dangerous protocols can be abused to gain remote code execution on the system. This either requires direct exposure of the endpoint to application users or code execution in the frontend of a Tauri application. This vulnerability is fixed in 2.2.1. | |||||
| CVE-2024-45871 | 1 Bandisoft | 1 Bandiview | 2025-04-28 | N/A | 6.3 MEDIUM |
| Bandisoft BandiView 7.05 is Incorrect Access Control via sub_0x232bd8 resulting in denial of service (DOS). | |||||
| CVE-2024-10846 | 2025-04-25 | N/A | 5.9 MEDIUM | ||
| The compose-go library component in versions v2.10-v2.4.0 allows an authorized user who sends malicious YAML payloads to cause the compose-go to consume excessive amount of Memory and CPU cycles while parsing YAML, such as used by Docker Compose from versions v2.27.0 to v2.29.7 included | |||||
| CVE-2022-36784 | 1 Elsight | 2 Halo, Halo Firmware | 2025-04-25 | N/A | 9.8 CRITICAL |
| Elsight – Elsight Halo Remote Code Execution (RCE) Elsight Halo web panel allows us to perform connection validation. through the POST request : /api/v1/nics/wifi/wlan0/ping we can abuse DESTINATION parameter and leverage it to remote code execution. | |||||
| CVE-2022-38900 | 1 Decode-uri-component Project | 1 Decode-uri-component | 2025-04-25 | N/A | 7.5 HIGH |
| decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS. | |||||
| CVE-2022-45872 | 1 Iterm2 | 1 Iterm2 | 2025-04-25 | N/A | 9.8 CRITICAL |
| iTerm2 before 3.4.18 mishandles a DECRQSS response. | |||||
| CVE-2021-37533 | 2 Apache, Debian | 2 Commons Net, Debian Linux | 2025-04-24 | N/A | 6.5 MEDIUM |
| Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711. | |||||
| CVE-2022-43484 | 1 Nttdata | 2 Terasoluna Global Framework, Terasoluna Server Framework For Java \(rich\) | 2025-04-24 | N/A | 7.8 HIGH |
| TERASOLUNA Global Framework 1.0.0 (Public review version) and TERASOLUNA Server Framework for Java (Rich) 2.0.0.2 to 2.0.5.1 are vulnerable to a ClassLoader manipulation vulnerability due to using the old version of Spring Framework which contains the vulnerability.The vulnerability is caused by an improper input validation issue in the binding mechanism of Spring MVC. By the application processing a specially crafted file, arbitrary code may be executed with the privileges of the application. | |||||
| CVE-2025-3162 | 1 Internlm | 1 Lmdeploy | 2025-04-23 | 4.3 MEDIUM | 5.3 MEDIUM |
| A vulnerability was found in InternLM LMDeploy up to 0.7.1. It has been classified as critical. Affected is the function load_weight_ckpt of the file lmdeploy/lmdeploy/vl/model/utils.py of the component PT File Handler. The manipulation leads to deserialization. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-36390 | 2 Canonical, Milesight | 2 Ubuntu Linux, Devicehub | 2025-04-23 | N/A | 7.5 HIGH |
| MileSight DeviceHub - CWE-20 Improper Input Validation may allow Denial of Service | |||||
| CVE-2025-30294 | 1 Adobe | 1 Coldfusion | 2025-04-23 | N/A | 6.8 MEDIUM |
| ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Input Validation vulnerability that could result in a security feature bypass. A high-privileged attacker could leverage this vulnerability to bypass security protections and gain unauthorized read access. Exploitation of this issue does not require user interaction and scope is changed. | |||||
| CVE-2022-45113 | 1 Sixapart | 1 Movable Type | 2025-04-23 | N/A | 6.5 MEDIUM |
| Improper validation of syntactic correctness of input vulnerability exist in Movable Type series. Having a user to access a specially crafted URL may allow a remote unauthenticated attacker to set a specially crafted URL to the Reset Password page and conduct a phishing attack. Affected products/versions are as follows: Movable Type 7 r.5301 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.5301 and earlier (Movable Type Advanced 7 Series), Movable Type 6.8.7 and earlier (Movable Type 6 Series), Movable Type Advanced 6.8.7 and earlier (Movable Type Advanced 6 Series), Movable Type Premium 1.53 and earlier, and Movable Type Premium Advanced 1.53 and earlier. | |||||
| CVE-2024-20034 | 2 Google, Mediatek | 20 Android, Mt6761, Mt6765 and 17 more | 2025-04-22 | N/A | 7.2 HIGH |
| In battery, there is a possible escalation of privilege due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08488849; Issue ID: ALPS08488849. | |||||
| CVE-2022-43723 | 1 Siemens | 1 Sicam Pas\/pqs | 2025-04-22 | N/A | 7.5 HIGH |
| A vulnerability has been identified in SICAM PAS/PQS (All versions < V7.0), SICAM PAS/PQS (All versions >= 7.0 < V8.06). Affected software does not properly validate the input for a certain parameter in the s7ontcp.dll. This could allow an unauthenticated remote attacker to send messages and create a denial of service condition as the application crashes. At the time of assigning the CVE, the affected firmware version of the component has already been superseded by succeeding mainline versions. | |||||
| CVE-2022-45871 | 1 F-secure | 1 Atlant | 2025-04-22 | N/A | 4.3 MEDIUM |
| A Denial-of-Service (DoS) vulnerability was discovered in the fsicapd component used in WithSecure products whereby the service may crash while parsing ICAP request. The exploit can be triggered remotely by an attacker. | |||||
| CVE-2022-42800 | 1 Apple | 4 Ipados, Iphone Os, Macos and 1 more | 2025-04-22 | N/A | 7.8 HIGH |
| This issue was addressed with improved checks. This issue is fixed in iOS 15.7.1 and iPadOS 15.7.1, macOS Ventura 13, watchOS 9.1, iOS 16.1 and iPadOS 16, macOS Monterey 12.6.1, macOS Big Sur 11.7.1. A user may be able to cause unexpected app termination or arbitrary code execution. | |||||
| CVE-2022-20470 | 1 Google | 1 Android | 2025-04-22 | N/A | 7.8 HIGH |
| In bindRemoteViewsService of AppWidgetServiceImpl.java, there is a possible way to bypass background activity launch due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12L Android-13Android ID: A-234013191 | |||||
| CVE-2013-4812 | 1 Hp | 2 Identity Driven Manager, Procurve Manager | 2025-04-22 | 10.0 HIGH | N/A |
| UpdateCertificatesServlet in the SNAC registration server in HP ProCurve Manager (PCM) 3.20 and 4.0, PCM+ 3.20 and 4.0, and Identity Driven Manager (IDM) 4.0 does not properly validate the fileName argument, which allows remote attackers to upload .jsp files and consequently execute arbitrary code via unspecified vectors, aka ZDI-CAN-1743. | |||||